>From a cloud-init perspective, one area of concern is around manipulation of sshd config.
Cloud-init does make changes to sshd config, in particular it controls the PasswordAuthentication value based on cloud-config values, ssh_pwauth: <yes/no/unchanged>. Cloud-init will read in sshd, update a key/value and write out the file and then restart the service. See the code for details. https://github.com/canonical/cloud- init/blob/master/cloudinit/config/cc_set_passwords.py#L97 The second area of concern user confusion. Typical work-flows for cloud-init user-data include importing and setting ssh keys for users. In the ec2-instance-connect workflow; the user-data cloud-init writes to the instance won't actually be used, rather ec2-instance-connect will query ec2 for what the current set of authorized keys. The sshd man page suggests that if the response does not include output that can verify the key it will fallback to reading .ssh keys. It's not clear to me (or users) which keys were used to authorize access to the system. I would also express additional concern in the area of time to ssh into instances; with this feature enabled, there is additional overhead for each and every ssh connection. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
